Authorization Failures Alarm

01 Sign in to the AWS Management Console.

01 Navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

01 In the navigation panel, under Logs, choose Log groups.

01 Click on the name of the log group associated with your Amazon CloudTrail trail.

01 Select the Metric filters tab to access the metric filter(s) created for the selected log group.

01 On the Metric filters panel, search for the metric filter with the Filter pattern attribute value set to the following pattern: {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}. If there is no metric filter configured with the specified pattern, created for the selected log group, the unauthorized API calls made within your AWS cloud account are not monitored using Amazon CloudWatch.

01 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the CloudWatch Logs log group associated with your CloudTrail trail as the identifier parameter and custom query filters to list the name(s) of the metric filter(s) created for the selected log group. The following command example returns the name of each metric filter created for a log group named "cc-project5-log-group" that is associated with a multi-region CloudTrail trail:

aws logs describe-metric-filters
  --region us-east-1
  --log-group-name cc-project5-log-group
  --query "metricFilters[*].metricTransformations[*].[{"metricName": metricName, "metricNamespace": metricNamespace}] | []"

02 The command output should return the name and the namespace of each metric filter attached to the selected log group:

[
	[
		{
			"metricName": "VPCAccessFailure",
			"metricNamespace": "CloudTrailMetrics"
		}
	],
	[
		{
			"metricName": "RDSConnectionDrop",
			"metricNamespace": "CloudTrailMetrics"
		}
	]
]

03 Execute describe-metric-filters command (OSX/Linux/UNIX) using the name and the namespace of the Amazon CloudWatch metric filter that you want to examine as the identifier parameters, to describe the filter pattern configured for the selected metric filter:

aws logs describe-metric-filters
  --region us-east-1
  --metric-name VPCAccessFailure
  --metric-namespace CloudTrailMetrics
  --query "metricFilters[*].filterPattern"

04 The command output should return the requested metric filter pattern:

[
	"{ $.errorCode = \"AccessDenied\" }"
]

05 Repeat steps no. 3 and 4 to check each metric filter attached to the selected log group for the specified filter pattern. If none of the metric filters created for the log group associated with your CloudTrail trail have the required filter pattern, the unauthorized API calls made within your AWS cloud account are not monitored using Amazon CloudWatch.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

03 In the navigation panel, under Amazon SNS, select Topics.

04 Choose Create topic to initiate the setup process for the new SNS topic.

05 On the Create topic setup page, perform the following actions:

1. For Type, select Standard.
2. For Name, provide a unique name for the new SNS topic.
3. (Optional) For Encryption – optional, choose Enable encryption if you want to enable Server Side Encryption for the new topic. Select a Customer Master Key (CMK) or enter the ARN of an existing CMK in the Customer master key (CMK) box.
4. (Optional) For Tags – optional, create and configure tags sets for the new SNS topic. You can use tags to search and filter your topics and track your costs.
5. Choose Create topic to create your new Amazon SNS topic.

06 On the newly created SNS topic page, select the Subscriptions tab, and choose Create subscription.

07 On the Create subscription setup page, select Email from the Protocol dropdown list, provide the email address where you want to receive alert notifications in the Endpoint box, then choose Create subscription to apply the new subscription to your Amazon SNS topic.

08 Use your preferred email client to open the subscription message from the AWS Notifications, then click on the appropriate link to confirm your SNS subscription.

01 Run create-topic command (OSX/Linux/UNIX) to create the Amazon SNS topic required to send alert notifications whenever unauthorized API calls are detected within your AWS cloud account:

aws sns create-topic
  --region us-east-1
  --name cc-cloud-alert-sns-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
  --protocol email
  --notification-endpoint alert@cloudconformity.com
  --return-subscription-arn

04 The command output should return the ARN of the new SNS subscription:

{
	"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (i.e. your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
  --token 5877392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d15578ded6f9a5c43aec62d83ef5f49109da730122

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

03 In the navigation panel, under Logs, choose Log groups.

04 Click on the name (link) of the log group associated with your Amazon CloudTrail trail.

05 Select the Metric filters tab and choose Create metric filter.

06 On the Create metric filter setup page, perform the following actions:

1. For Step 1 Define pattern, paste the following pattern in the Filter Pattern configuration box: {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}. This filter pattern will be used to scan your Amazon CloudTrail trail logs for "AccessDenied" and "UnauthorizedOperation" events. Choose Next to continue the setup process.
2. For Step 2 Assign metric, provide the following information:
   • In the Filter name box, enter a unique name for the new filter.
   • In the Metric namespace box, type CloudTrailMetrics.
   • In the Metric name box, type AuthorizationFailure for the metric name.
   • In the Metric value box, type 1.
   • (Optional) Choose Count from the Unit – optional dropdown list.
   • Choose Next to continue.
3. For Step 3 Review and create, review the new metric filter configuration data, and choose Create metric filter.

07 On the Metric filters panel, select the newly created metric filter, and choose Create alarm.

08 On the Create alarm setup page, perform the following operations:

1. For Step 1 Specify metric and conditions, perform the following actions:
   • In the Metric section, select Sum from the Statistic list, and choose 5 minutes from the Period dropdown list.
   • In the Conditions section, select Static as Threshold type. For Whenever AuthorizationFailure is…, select Greater/Equal (greater than or equal to), and enter 1 as the threshold value within than… configuration box to trigger the CloudWatch alarm every time there is an AWS cloud API authorization failure.
   • Choose Next to continue the setup process.
2. For Step 2 Configure actions, define the alarm state that will trigger the CloudWatch alarm action by selecting In alarm under Alarm state trigger, then choose Select an existing SNS topic and select the name of the SNS topic created at Step 1 from the Send a notification to… list. Choose Next to continue.
3. For Step 3 Add name and description, provide a unique name and a short description (optional) for your new CloudWatch alarm in the Alarm name and Alarm description boxes. Choose Next to continue.
4. For Step 4 Preview and create, review the alarm configuration details, then choose Create alarm to create your new Amazon CloudWatch alarm. Once the data is loaded, the State (status) of the newly created alarm will change from Insufficient data to OK.

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern defined as value for the --filter-pattern command parameter will be used to scan your Amazon CloudTrail trail logs for "AccessDenied" and "UnauthorizedOperation" events (if successful, the command should not return an output):

aws logs put-metric-filter
  --region us-east-1
  --log-group-name cc-project5-log-group
  --filter-name AWSCloudAuthorizationFailure
  --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}'
  --metric-transformations metricName=AuthorizationFailure,metricNamespace=CloudTrailMetrics,metricValue=1

02 Run put-metric-alarm command (OSX/Linux/UNIX) to create the Amazon CloudWatch alarm that will fire whenever an authorization failure will occur in your AWS cloud account (if successful, the command does not produce an output):

aws cloudwatch put-metric-alarm
  --region us-east-1
  --alarm-name "AWSAuthorizationFailureAlarm"
  --alarm-description "Triggered when unauthorized AWS API calls are made"
  --metric-name AuthorizationFailure
  --namespace CloudTrailMetrics
  --statistic Sum
  --comparison-operator GreaterThanOrEqualToThreshold
  --evaluation-periods 1
  --period 300
  --threshold 1
  --actions-enabled
  --alarm-actions arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic